[Freeipa-devel] [PATCH] 755 upgrade IPA on installation

Mon Mar 21 08:03:25 UTC 2011

On Fri, 2011-03-18 at 11:21 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
> >>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
> >>> restriction when run in --upgrade mode. This allows us to autobind
> >>> giving root Directory Manager powers.
> >>>
> >>> This also:
> >>> * corrects the ipa-ldap-updater man page
> >>> * remove automatic --realm, --server, --domain options
> >>> * handle upgrade errors properly
> >>> * saves a copy of dse.ldif before we change it so it can be recovered
> >>> * fixes an error discovered by pylint
> >>>
> >>> ticket 1087
> >>>
> >>> rob
> >>
> >> NACK.
> >>
> >> Patch is promising, ipa-ldap-updater --upgrade works just fine. The
> >> upgrade was also correctly executed after I did the RPM upgrade.
> >>
> >> But I have hit two issues:
> >>
> >> 1) When ipa-ldap-updater is run as a regular user on a configured IPA
> >> server I get the following error:
> >>
> >> $ ipa-ldap-updater
> >> IPA is not configured on this system.
> >>
> >> This is because regular user cannot access /var/lib/ipa/sysrestore/. I
> >> guess we should either use another method of detecting installed IPA or
> >> make the script root-only (as we do with other scripts taking advantage
> >> of fstore).
> >>
> >>
> >> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi:
> >>
> >> $ sudo ipa-ldap-updater --ldapi
> >> Traceback (most recent call last):
> >> File "/usr/sbin/ipa-ldap-updater", line 125, in<module>
> >> sys.exit(main())
> >> File "/usr/sbin/ipa-ldap-updater", line 111, in main
> >> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not
> >> options.test, ldapi=options.ldapi)
> >> File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> >> line 125, in __init__
> >> conn.do_external_bind(self.pw_name)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
> >> 360, in do_external_bind
> >> self.__lateinit()
> >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
> >> 260, in __lateinit
> >> [ 'nsslapd-directory' ])
> >> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
> >> 378, in getEntry
> >> raise errors.NotFound(reason=notfound(args))
> >> ipalib.errors.NotFound: * not found
> >>
> >> I know that --ldapi did not work before the patch either, it just
> >> crashed with another stacktrace. But it would be nice to fix this one.
> >>
> >> Martin
> >
> > Issues addressed.
> >
> > I'm going to do a best-possible check for IPA Installation when non-root
> > but stick with the fstore when doing it as root. This is because it is
> > more important because it may be done automatically in rpm.
> >
> > rob
> 
> fixed a couple more issues Martin discovered:
> 
> - catch errors if the GSSAPI connection fails
> - do console logging when doing a password-based update as root
> 
> rob

ACK. Good job, everything works fine.

Martin